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Abstract. In 1998, Blaze, Bleumer, and Strauss suggested a cryptographic primitive named proxy 
re-signatures where a proxy turns a signature computed under Alice's secret key into one from Bob on 
the same message. The semi-trusted proxy does not learn either party's signing key and cannot sign 
arbitrary messages on behalf of Alice or Bob. At CCS 2005, Ateniese and Hohenberger revisited the 
primitive by providing appropriate security definitions and efficient constructions in the random oracle 
model. Nonetheless, they left open the problem of designing a multi-use unidirectional scheme where 
the proxy is able to translate in only one direction and signatures can be re-translated several times. 
This paper solves this problem, suggested for the first time 10 years ago, and shows the first multi-hop 
unidirectional proxy re-signature schemes. We describe a random-oracle-using system that is secure in 
the Ateniese-Hohenberger model. The same technique also yields a similar construction in the standard 
model (i.e. without relying on random oracles). Both schemes are efficient and require newly defined - 
but falsifiable - Diffie-Hellman-like assumptions in bilinear groups. 

Keywords. Multi-use proxy re-signatures, unidirectionality, pairings. 

1 Introduction 

In 1998, Blaze, Bleumer and Strauss [8] proposed a cryptographic primitive where a semi-trusted proxy is 
given some information that allows turning Alice's signature on a message into Bob's signature on the same 
message. These proxy re-signatures (PRS) - not to be confused with proxy signatures [23] - require that the 
proxy be unable to sign on behalf of Alice or Bob on its own. The last few years saw a renewed interest in 
proxy re-cryptography [3-5, 17-19, 12]. 

This paper presents the first constructions of multi-use unidirectional proxy re-signature wherein the 
proxy can only translate signatures in one direction and messages can be re-signed a polynomial number of 
times. Our constructions are efficient and demand new (but falsifiable) Diffie-Hellman-related intractability 
assumptions in bilinear map groups. One of our contributions is a secure scheme in the standard model (i.e. 
without resorting to the random oracle model). 

Related work. Alice - the delegator - can easily designate a proxy translating signatures computed using 
Bob's secret key - the delegatee - into one that are valid w.r.t. her public key by storing her secret key at 
the proxy. Upon receiving Bob's signatures, the proxy can check them and re-sign the message using Alice's 
private key. The problem with this approach is that the proxy can sign arbitrary messages on behalf of Alice. 
Proxy re-signatures aim at securely enabling the delegation of signatures without fully trusting the proxy. 
They are related to proxy signatures, introduced in [23] and revisted in [16,9,22], in that any PRS can be 
used to implement a proxy signature mechanism but the converse is not necessarily true. 

In 1998, Blaze et al. [8] gave the first example of PRS where signing keys remain hidden from the proxy. 
The primitive was formalized in 2005 by Ateniese and Hohenberger [5] who pinned down useful properties 
that can be expected from proxy re-signature schemes. 

Blaze et aL's construction is bidirectional {i.e. the proxy information allows "translating" signatures in 
either direction) and multi-use {i.e. the translation of signatures can be performed in sequence and multiple 
times by distinct proxies without requiring the intervention of signing entities). Unfortunately, Ateniese and 
Hohenberger [5] pinpointed a flaw in the latter scheme: given a signature/re-signature pair, anyone can 



1. Unidirectional: re-signature keys can only be used for delegation in one direction; 

2. Multi-use: a message can be re-signed a polynomial number of times; 

3. Private Proxy: ro-sigriaturc keys can bo kept secret by an honest proxy; 

4. Transparent: a user may not even know that a proxy exists; 

5. Unlinkable: a re-signature cannot be linked to the one from which it was generated; 

6. Key optimal: a user is only required to store a constant amount of secret data; 

7. Non-interactive: the delegatee does not act in the delegation process; 

8. Non-transitive: the proxy cannot re-delegate signing rights; 

deduce the re-signature key that has been used in the delegation {i.e. the private proxy property is not 
satisfied). Another issue in [8] is that the proxy and the delegatee can collude to expose the delegator's 
secret. 

To overcome these limitations, Ateniese and Hohenberger proposed two constructions based on bilinear 
maps. The first one is a quite simple multi-use, bidirectional protocol built on Bonch-Lynn-Shacham (BLS) 
signatures [11]. Their second scheme is unidirectional (the design of such a scheme was an open problem raised 
in [8]) but single-use. It involves two different signature algorithms: first-level signatures can be translated by 
the proxy whilst second-level signatures cannot. A slightly less eflicient variant was also suggested to ensure 
the privacy of re-signature keys kept at the proxy. The security of all schemes was analyzed in the random 
oracle model [7]. 

Our contributions. Ateniese and Hohenberger left as open challenges the design of multi-use unidirectional 
systems and that of secure schemes in the standard security model. The present paper solves both problems: 

— we present a simple and efficient system (built on the short signature put forth by Boneh et al. [11]) which 
is secure in the random oracle model under a reasonable extension of the Diffie-Hellman assumption; 

— using an elegant technique due to Waters [27], the scheme is easily modified so as to achieve security in 
the standard model. To the best of our knowledge, this actually provides the first unidirectional PRS 
that dispenses with random oracles and thereby improves a recent bidirectional construction [25] . 

Both proposals additionally preserve the privacy of proxy keys (with an improved efficiency w.r.t. [5] in the 

case of the first one). They combine almost all of the above properties. As in prior unidirectional schemes, 
proxies are not completely transparent since signatures have different shapes and lengths across successive 
levels. The size of our signatures actually grows linearly with the number of past translations: signatures at 
level £ (i.e. that have been translated £ — i times if the original version was signed at level i) consist of about 
2i group elements. In spite of this blow-up, we retain important benefits: 

— signers may want to tolerate a limited number (say t) of signature translations for specific messages. Then, 
if at most L translations are permitted in the global system, users can directly generate a signature at 
level L — t. 

— the conversion of a level signature is indistinguishable from one generated at level i-\-lhy the second 
signer. The original signer's identity is moreover perfectly hidden and the verifier only needs the new 
signer's public key. 

The simplicity of our schemes makes them attractive for applications that motivated the search for multi- 
use unidirectional systems in [5]. One of them was to provide a proof that a certain path was taken in a 
directed graph: for instance, U.S. customs only need one public key (the one of the immigration agent who 
previously validated a signature on an e-passport) to make sure that a foreign visitor legally entered the 
country and went through the required checkpoints. Another application was the conversion of certificates 
where valid signatures for untrusted public keys can be turned into signatures that verify under trusted 
keys. As exemplified in [5], unidirectional schemes are quite appealing for converting certificates between 
ad-hoc networks: using the public key of network B's certification authority (CA), the CA of network A can 
non-interactively compute a translation key and set up a proxy converting certificates from network B within 
its own domain without having to rely on untrusted nodes of B. 

ROADMAP. In the forthcoming sections, we recall the syntax of unidirectional PRS schemes and the security 
model in section 2. Section 3 explains which algorithmic assumptions we need. Section 4 describes our 
random-oracle-using scheme. Section 5 details how to get rid of the random oracle idealization. 



2 



2 Model and Security Notions 



We first recall the syntactic definition of unidirectional PRS schemes from [5] . 

Definition 1 (Proxy Re-Signatures). A (unidirectional) proxy re-signature (PRS) scheme for N signers 
and L levels (where N and L are both polynomial in the security parameter X) consists of a tuple of (possibly 
randomized) algorithms (Global-Setup, Keygen, ReKeygen, Sign, Re-Sign, Verify) where: 

Global-Setup(A): is a randomized algorithm (possibly run by a trusted paHy) that takes as input a security 
parameter A and produces a set of system-wide public parameters cp. 

Keygen (cp): is a probabilistic algorithm that, on input of public parameters cp, outputs a signer's pri- 
vate/public key pair {sk,pk). 

ReKeygen (cp,p/ci, skj): on input of public parameters cp, signer i 's public key phi and signer j 's private key 
skj, this (ideally non-interactive) algorithm outputs a re-signature key Rij that allows translating i's 
signatures into signatures in the name of j. 

S\gn{cp,£, ski, m): on input of public parameters cp, a message m, a private key ski and an integer I e 
{!,..., L}, this (possibly probabilistic) algorithm outputs a signature a on behalf of signer i at level L 

Re-S\gn(cp, £,m, a, Rij, pki,pkj): given common parameters cp, a level £ < L signature a from signer i G 
{!,... , A''} and a re-signature key Rij, this (possibly randomized) algorithm first checks that a is valid 
w.r.t pki. If yes, it outputs a signature a' which verifies at level £-\-l under public key pkj. 

Verify(cp,^, m,cr, p/ci): given public parameters cp, an integer £ €{!,... ,L}, a message m, an alleged signa- 
ture a and a public key pki, this deterministic algorithm outputs or 1. 

For all security parameters A G N and system-wide parameters cp output by Global-Setup(A), for all couples 
of private/public key pairs {ski, pki), {skj, pkj) produced by Keygen(cp), for any £ G {1, . ..,L} and message 
m, we should have 

\/enfy{cp,£,m,S\gn{cp,i,ski,m),pki) = 1; 
Verify(cp, £, m, ReSign(cp, £, m, Sign(cp, £, ski, tn), ReKeygen (cp,pA;i, skj)), pkj) = 1. 

To lighten notations, we sometimes omit to explicitly include public parameters cp that are part of the input 
of all but one algorithms. 

The security model of [5] considers the following two orthogonal notions termed external and insider 
security. 

External security: is the security against adversaries outside the system (that differ from the proxy and 
delegation partners). This notion demands that the next probability be a negligible function of the 
security parameter A: 

PT[{ph,sh) ^ Keygen(A)},g[i,Ar], 

(i*,i,m*,<7*) ^^°--''(-)'°«"-''(-)({pA;J,e[i,;v]) : 
Verify(L,pfci.,m*,(T*) A (i*,m*) ^ Q] 

where Osign{-) is an oracle taking as input a message and an index i G {1, . . . , A^} to return a first level 
signature a <— Sign(l, sfc^, m); the oracle OB,esign{-) takes as input indices i,j G {1, . . . ,N} and a level £ 
signature a and returns the output of a' ^ Re-S\gn{£, m, a, ReKeygen{pki, skj)); and Q denotes the sot 
of (signer, message) pairs {i, m) queried to Osign{-) or such that a tuple (?, j, i, m), with j G {1, . . . , N}, 
was queried to OResign{-)- This notion only makes sense if re-signing keys are kept private by the proxy. 

Internal security: The second security notion considered in [5] strives to protect users, as much as possible, 
against dishonest proxies and colluding delegation partners. Three security guarantees should be ensured. 
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1. Limited Proxy security: this notion captures the proxy's inabihty to sign messages on behalf of 
the delegates or to create signatures for the delegator unless messages were first signed by one of the 
latter's delegatees. Formally, we consider a game where adversaries have all re-signing keys but are 
denied access to signers' private keys. The following probability should be negligible: 

Pv[{pki,ski) ^ Keygen(A)}ie[i,jv], {Rij ^ ReKeygen(pA;i, sfcj)}ije[i,jv], 
(i*,L,m*,CT*) ^^^«*''"(-'-)({pfci}ie[i,jv],{i?yKj£[i,jv]) : 
Verify , m*, a*) Am* ^ Q] 

where Osign{-, •) is an oracle taking as input a message and an index i G {1, . . . , N} to return a first 
level signature a <— Sign(l, sfcj,m) and Q stands for the set of messages m queried to the signing 
oracle. 

2. Delegatee Security: informally, this notion protects the delegatee from a colluding delegator and 
proxy. Namely, the delegatee is assigned the index 0. The adversary is provided with an oracle 
returning first level signatures on behalf of and is also granted access to re-signature keys^ Roi for 
all i ^ (but not Rio for any i). Her probability of success 

Pr[ {pfc,,sA:,) ^ Keygen(A)}jg[o,Ar], 

{Rij ^ ReKeygen{pki,skj)}i(z{o^,„^N},j£{i,...,N} 

{L,m*,a*) ^ A'^'''^^''°'-\pko,{pki,ski}i^[i^N],{Rij}ie{o,...,N},je{i,...,N}) ■ 
Verify(L,pfco,m*,cr*) Am* ^Q], 

where Q is the set of messages queried to Osign{0, should be negligible. 

3. Delegator Security: this notion captures that a collusion between the delegatee and the proxy 
should be harmless for the honest delegator. Namely, we consider a target delegator with index 0. 
The adversary is given private keys of all other signers i G {1, . . . , N} as well as all re-signature keys 
including Rio and i?oi for i G {I, . . . ,N}. A signing oracle Osign{0,-) also provides her with first 
level signatures for 0. Yet, the following probability should be negligible, 

Pv[{pki,ski) ^ Keygen(A)}jg[o,Ar],{i?jj ^ ReKeygert{pki,skj)}ij^[o,N], 
(l,m*,(T*) <- A^^'^"^'^'-\pko,{pki,ski}iQii^N],{Rij}i,je[o,N],) ■ 

Verify(l,pfco, m*, a*) Am* ^Q], 

meaning she has little chance of framing user at the first level. 

An important difference between external and limited proxy security should be underlined. In the former, 
the attacker is allowed to obtain signatures on the target message m* for signers other than i*. In the latter, 
the target message cannot be queried for signature at all (knowing all proxy keys, the attacker would trivially 
win the game otherwise). 

3 Bilinear Maps and Complexity Assumptions 

Bilinear groups. Groups (G, Gt) of prime order p are called bilinear map groups if there is a mapping 
e : G X G ^ Gt with the following properties: 

1. bilinearity: e{g'', h^) = e{g, /i)"'' for any {g,h) G G x G and a, 5 G Z; 

2. efficient computability for any input pair; 

^ In non-interactive schemes, the adversary can compute those keys herself from pko and ski, with i 0, and the 
definition can be simplified. In the general case, they remain part of the adversary's input. 



4 



3. non-degeneracy: e{g, h) ^ whenever g,h^ Iq. 

In these groups, we assume the hardness of the well-known Computational Diffie-Hellman (CDH) problem 
which is to compute g^^ given g^ and g^. 

Flexible Diffie-Hellman problems. Our signatures rely on new generalizations of the Diffie-Hellman 
problem. To motivate them, let us first recall the definition of the 2-out-of-3 Diffie-Hellman problem [20]. 

Definition 2. In a prime order group G, the 2-out-of-3 Diffie-Hellman problem (2-3-CDH) is, given 
{g, 9", 9^), to find a pair (C, C"*") e G x G with C ^ Iq. 

We introduce a potentially harder version of this problem that we call 1-Flexible Diffie-Hellman problem: 

Definition 3. The 1-Flexible Diffie-Hellman problem (1-FlexDH) is, given {g,A = g'',B = g^) G G^, to 
find a triple (C,C»,C"'') e (G\{1g})^ 

The unforgcability of our multi-use unidirectional proxy re-signatures is proved assuming the intractability 
of a relaxed variant of this problem where more flexibility is permitted in the choice of the base C for the 
Diffie-Hellman computation. 

Definition 4. The ^-Flexible Diffie-Hellman problem (i-FlexDH) is, given {g,A = g^^B = g'') G G^, to 
find a {2£ + l)-uple 

{Cu...,Q,Dt,...,DlDf)eG^'+' 

where logg(7^,) = UUi logg(C,) for j e {1, . . .£}. 

A given instance has many publicly verifiable solutions: a candidate 2£ + 1-tuple (Ci, . . . ,Ce, D[, . . . , D'^,T) 
is acceptable if e{C\,A) = e{D[,g), e{D'j,g) = e{D'j_^,Cj) for j = 2, and e{D'/,,B) = e{T,g). The 

^-FlexDH assumption is thus falsifiable according to Naor's classification [24] . 

In generic groups, the general intractability result given by theorem 1 of [20] by Kunz-Jacques and 
Pointcheval implies the generic hardness of ^-FlexDH. For completeness, appendix A gives an adaptation of 
this result in generic bilinear groups. 

Remark 1. The knowledge- of- exponent assumption (KEAl) [6] was introduced in 1991 by Damgard [14]. 
Roughly speaking, KEAl captures the intuition that any algorithm which, given elements (5,51^) G G^, 
computes a pair {h, h^) G G^ must "know" \ogg{h). Under KEAl, the intractability of the ^-Flexible Diffie- 
Hellman problem is easily seen to be boil down to the Diffie-Hellman assumption. Given {g, g°-), an adversary 
outputting {Ci,D'}) = (Ci,Cf) necessarily "knows" t^ = log^ Ci and thus also (C2,Cf) = (C2, (-02)^^*') 
as well as t2 = loggC2, which in turn successively yields logarithms of C3, . . . ,Cf. Although the KEAl 
assumption is inherently non-falsifiable, it holds in generic groups [15, 1] and our results can be seen as 
resting on the combination CDH+KEAl. 

Modified Diffie-Hellman problem. The second assumption that we need is that the CDH problem 
{g°',g^) remains hard even when g^"- ^ is available. 

Definition 5. The modified Computational Diffie-Hellman problem (mCDH) is, given {g,g°',g^'^^\g'') G 
G^, to compute G G. 

In fact, we use an equivalent formulation of the problem which is to find h^^ given [h,h^,h^^'',h'^) (the 
equivalence is readily observed by defining g = h^^^, x = a, y = b/a). 
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4 A Multi-Hop Scheme in the Random Oracle Model 



To provide a better intuition of the underlying idea of our scheme, we first describe its single-hop version 
before extending it into a multi-hop system. 

Our approach slightly differs from the one in [5] where signers have a "strong" secret and a "weak" secret 
that are respectively used to produce first and second level signatures. In our scheme, users have a single 
secret but first and second level signatures retain different shapes. Another difference is that our re-signature 
algorithm is probabilistic. 

We exploit the idea that, given € G = (g) for some b € Z, one can hardly generate a Diffie-Hellman 

triple (.9", .g"'') without knowing the corresponding exponent a [14]. A valid BLS signature [11] {a = 
H{m)^,X = g^) can be blinded into {a'i,cr'2) = (f*,Ar*) using a random exponent t. An extra element g* 
then serves as evidence that (cti, ctj) actually hides a valid pair. This technique can be iterated several times 
by adding two group elements at each step. To translate signatures from signer i to signer j, the key idea is to 
have the proxy perform an appropriate change of variable involving the translation key during the blinding. 

The scheme is obviously not strongly unforgeable in the sense of [2] (since all but first level signatures 
can be publicly re-randomized) but this "malleability" of signatures is not a weakness whatsoever. It even 
turns out to be a desirable feature allowing for the unlinkability of translated signatures w.r.t. original ones. 

4.1 The Single Hop Version 

In this scheme, signers' public keys consist of a single group element X = g^ G G. Their well-formedness is 
thus efficiently verifiable by the certification authority that just has to check their membership in G. This 
already improves [5] where public keys (Xi, X2) = {g^, h^/'^) € {g and h being common parameters) must 
be validated by testing whether e(Xi, X2) = e{g, h). 

Global-setup(A): this algorithm chooses bilinear groups (G, Gt) of prime order p > 2^. A generator <? G G 
and a hash function H : {0, 1}* ^ G (modeled as a random oracle in the security proof) are also chosen. 
Public parameters only consist of cp :— {G, Gt, .9, -ff}- 

Keygen(A): user i's pubhc key is set as Xi = g'^' for a random Xi ^ Z*. 

ReKeygen{xj , Xi): this algorithm outputs the proxy key Rij = X^^' = g^*/^o which allows turning signa- 
tures from i into signatures from j. 

Sign(l, Xi, m): to sign m e {0, 1}* at level 1, compute cr^^^ = H{m)^' G G. 

Sign(2, Xi, m): to sign m € {0, 1}* at level 2, choose t Z* and compute 

<7(2) = {ao, a2) = {H{mr\ Xf, g% (1) 

Re-Sign(l, m, a^^\Rij,Xi, Xj): on input of m e {0, 1}*, the re-signature key Rij = g^^/^o , a signature a^-^^ e 
G and public keys Xi,Xj, check the validity of ct^^) w.r.t signer i by testing e{i7'^^\g) = e{H(m),Xi). If 
valid, (7^^^ is turned into a signature on behalf of j by choosing t ^ Z* and computing 

<7(2) = {a'o,<7[,a'2) = {a^'^\xlR%) = {H{mY^\Xl,g'-^'^^) 
If we set t = tXi/xj, we have 

= {a'„a[,a'2) = {H {mf '\ x] , g^) . (2) 
Verify(l, m, (t(^\ Xi): this algorithm accepts iie{a'^^\g) = e{H{m), Xi). 

Verify(2, m, (T*^^), Xj): a second level signature cr^^^ = (ctq, ci, 0-2) is accepted for the public key Xi if the 
following conditions are true. 

e{(To,g) = e{ai,H{m)) e{ai,g) = e{Xi,a2) 
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Relations (1) and (2) show that translated signatures have exactly the same distribution as signatures directly 
produced by signers at level 2. 

In comparison with the only known unidirectional PRS with private re-signing keys (suggested in section 
3.4.2 of [5]), this one features shorter second level signatures that must include a Schnorr-likc [26] proof of 
knowledge in addition to 3 group elements in [5] . On the other hand, signatures of [5] are strongly unforgeable 
unlike ours. 

It is also worth mentioning that the above scheme only requires the 1-Flexible Diffie-Hellman assumption 
which is more classical than the general £-FlexDH. 



4.2 How to Obtain Multiple Hops 

The above construction can be scaled up into a multi-hop PRS scheme if we iteratively apply the same 

idea several times. To prevent the linkability of signatures between successive levels £ + 1 and £ + 2, the 
re-signature algorithm performs a re-randomization using random exponents ri, . . . ,ri. 

Sign(^ + 1, Xi, m): to sign m 6 {0, 1}* at the {£ + 1)*'^ level, user i chooses {ti,. . . ,te) A {Z*Y and outputs 
= (ao, . . . , a2e) G G^^+i where 

^ _ H(m\-^^^-te / '"fc = 5-.*i-t.+i-<= for e {1, . . . , £} 
''o--ti[rn) , |^^^ ^t,_, {or k€{£+l,...,2£}. 

Re-Sign(£ -|- 1, m, a''^'^^\ Rij , Xi, Xj): on input of a message m G {0, 1}*, the re-signature key Rij = g^^/^i , 
a valid -|- 1)*^ level signature 

a(^+i) = (ao,...,a2,) 



and public keys Xj, Xj, check the validity of a under X^. If valid, a is turned into a {£+2^^ level signature 
on beh 
where 



on behalf of j by drawing (ro,ri, ...,re) A (Z*)^+^ and computing cr(^+^) = (ctq, . . • ,0-2^+2) ^ 



(t',, , , = X 



ro---rt+i-k 



for fc G {1, . . . ,^ 



ro 



ao - ao and <; , ^ 



2 ij 

a'^ = cjI^-^-^ for fc G + 3, . . . , 2£ + 2}. 
If we define to = roXi/xj and ik = rktk for fc = 1, we observe that 

Verify(£-M,m, (7(^+1), X,): the validity of a^^+i) = (ctq, . . . , cJa^) G G^'^+^ at level {£+1) is checked by testing 
if these equalities simultaneously hold: 

e(o-o, = e{H{m), ai), e{ae, g) = e{Xi, ae+i) 
e{(Tk,g) = e{ak+i,(T2e-k+i) for A; G {1, ... ,^ - 1} 



4.3 Security 

Theorem 1. The L-level scheme is a secure unidirectional proxy re-signature under the {L — l)-FlexDH and 
mCDH assum.ptions in the random oracle model. 

Proof. Limited proxy security. We show that an adversary Ai with advantage e implies an algorithm Bi 
solving an (L — l)-FlexDH instance {g, A = g°-,B = g^) with probability 0{e/qs), where qs is the number of 
signing queries made by A\. 
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System parameters: Ai is challenged on parameters {G, Gt, 9, Oh} where Oh is the random oracle con- 
trolled by the simulator Bi. 

Public key generation: when Ai asks for the creation of user i G {!,..., N}, Bi responds with a newly 
generated public key Xi = A^^ = 5"^', for a random <^ Z*, which virtually defines user i's private 
key as axi. For all pairs rc-signature keys Rij arc calculated as Rij = g^^l^i = gO-^i/o-^i ^ 

Oracle queries: ^I's queries are tackled with as follows. Following a well-known technique due to Coron 
[13], a binary coin c e {0, 1} with expected value l — Q S [0, 1] decides whether B\ introduces the challenge 
in the output of the random oracle or an clement of known signature. For the optimal value of C,, this 
introduces the loss factor 0{qs) in the success probability. 

• Random oracle queries: To respond to these queries, B\ maintains a list (referred to as the if-List) 
of tuples (to, h, /i, c) as follows: 

1. If the query to already appears in the ff-List, then Bi returns h\ 

2. Otherwise, B\ generates a random bit c such that Pr[c = 0] = C; 

3. It picks uniformly at random n € and computes h = if c = and h = otherwise; 

4. It adds the 4-uplc (to, /i, /i, c) to the if-List and returns h as the answer to the random oracle 
query. 

• Signing queries: when a signature of signer i is queried for a message to, B\ runs the random oracle 
to obtain the 4-uple (to, h, ji, c) contained in the i?-List. If c = 1 then B\ reports failure and aborts. 
Otherwise, the algorithm Bi returns /i^'" = A^*!^ as a valid signature on to. 

After a number of queries, A\ comes up with a message to*, that was never queried for signature for any 
signer, an index i* G {!,... iN} and a L*^ level forgery a*^^^ = (aj, . . . ,<T2l-2*) G G^^~^. At this stage, 
B\ runs the random oracle to obtain the 4-uple (to*, /i*, /x*, c*) contained in the if-List and fails if c* = 0. 
Otherwise, if a*(^) is vahd, it may be written 

(a^, . . . ,<72L-2*) = (s''*-.-*!-*^-!, A*--*--, . ..,A'\g'\.. . ,5*--) 

which provides Bi with a valid tuple (Ci, . . . , Cl-i,D<1, Dl_^,Df_^), where Dl^^ = a^^/''*^'* , so that 
\ogg{Dj) = 11^=1 loggC^i) foi' J ^ {1: ■ • ■ 7 i — !}• A- similar analysis to [13, 11] gives the announced bound on 
jBi's advantage if the optimal probability ( = qs/{qs + 1) is used when answering hash queries. 

Delegatee security. We also show how to break the (L — l)-FlexDII assumption out of a delegatee security 
adversary A2- Given an input pair (^4 = g°',B = g^), the simulator B2 proceeds as Bi did in the proof of 
limited proxy security. 

System parameters and public keys: the target delegatee's public key is set Xq = A = g"^ . For i = 

1, . . . , n, other public keys are defined as Xi — g^' for a random Xi <^ Z*. To generate re-signature keys 
Rij, B2 sets Rij = g^'/^i when i,j^O and Roj = A^l^^ = g"-!^^ for j = 1, . . . , n. 

Queries: ^2's hash and signing queries are handled exactly as in the proof of limited proxy security. Namely, 
S2 fails if A2 asks for a signature on a message to for which H{m) = B^^ and responds consistently 
otherwise. 

When A2 outputs her forgery cr**^^-* = (ctq, . . . , cr2L-2) level L, B2 is successful if H{m*) = , for some 
/U* € Z*, and extracts an admissible (2L — l)-uple as done in the proof of limited proxy security. 

Delegator security. This security property is proven under the mCDH assumption. Given an adversary ^3 
with advantage e, we outline an algorithm B^ that has probability 0{e/qs) of finding g"^^ given {g,A = 
g\A! = g'l'^,B = g'>). 

Public key generation: as previously, the target public key is defined as = A = g"" . Remaining public 

keys are set as Xi = g^^ for a random Xi A Z* for i = 1, . . . ,n. This time, ^3 aims at producing a first 
level forgery and is granted all re-signature keys, including Roj and RjQ. For indexes {i,j) s.t. i,j 0, 
B3 sets Rij = g^'/^^i . If I = 0, it calculates Roj = A^l^' = g'^l^i . If j = (and thus i 7^ 0), Ss computes 
RiQ = A""' = to ^3- 
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Hash and signing queries are dealt with exactly as for previous adversaries. Eventually, ^3 produces a first 
level forgery cr**^^-' for a new message m*. Then, B3 can extract g""^ if H{m) = {g^Y^ for some /U* G Z*, 
which occurs with probability 0{l/qs) using Coron's technique [13]. Otherwise, B3 fails. 

External security. We finally show that an external security adversary Aa also allows breaking the {L — 1)- 
FlexDH assumption almost exactly as in the proof of limited proxy security. The simulator is given an 
instance (5, A = g°-,B = g^). As previously, B4 must "program" the random oracle H hoping that its output 
will be H{m*) — (where /x* G Z* is known) for the message m* that the forgery ct**-^-* pertains to. 
The difficulty is that must also be able to answer signing queries made on m* for all but one signers. 
Therefore, S4 must guess which signer i* will be .A4's prey beforehand. At the outset of the game, it thus 
chooses an index i* ^ {!,••• ,N}. Signer i*'s public key is set as Xj* = A = g"^. All other signers i i* 
are assigned public keys Xi = g^^ for which B4 knows the matching secret Xi and can thus always answer 
signing queries. 

Hash queries and signing queries involving i* are handled as in the proof of limited proxy security. When 
faced with a re-signing query from i to j for a valid signature a^^^ at level £ € {1, . . . , L}, S4 ignores a^^^ and 
simulates a first level signature for signer j. The resulting signature a'(^) is then turned into 1)*^ level 

signature and given back to ^4. A re-signing query thus triggers a signing query that only causes failure if 
H(m) differs from g'^ for a known G Z*. 

When Ai forges a signature at level L, B4 successfully extract a (2L — 1)-Flexible Diffie-Hellman tuple 
(as Bi and B2 did) if H{m*) = (,g'')'^ and if it correctly guessed the identity i* of the target signer. If ^4's 
advantage is e, we find 0{e/{N{qs + g^s + 1))) as a lower bound on B4S probability of success, and qrs 
being the number of signature and re-signature queries respectively. □ 

5 Eliminating the Random Oracle 

Several extensions of BLS signatures have a standard model counterpart when Waters' technique supersedes 
random oracle manipulations (e.g. [21]). Likewise, we can very simply twist our method and achieve the first 
unidirectional PRS scheme (even including single hop ones) that avoids the random oracle model. Mutatis 
mutandis, the scheme is totally similar to our first construction and relies on the same assumptions. 



5.1 The Single Hop Variant 

As in [27], n denotes the length of messages to be signed. Arbitrary long messages can be signed if we 
first apply a collision-resistant hash function with n-bit outputs, in which case n is part of the security 
parameter. 

The scheme requires a trusted party to generate common public parameters. However, this party can 

remain off-line after the setup phase. 

Global-setup(A, n): given security parameters X,n, this algorithm chooses bilinear groups (G,Gt) of order 
p > 2^, generators g,h ^ G and a random (n-l- l)-vector u = {u', u„) ^ 6"+^. The latter defines 
a function F : {0, 1}" G mapping n-bit strings m = mi . . . m„ (where rrii € {0, 1} for all i S {0, 1}) 
onto F{m) = u' ■ nr=i ■ '^^^ public parameters are 

cp := {G, Gt,^, 

Keygen(A): user i sets his public key as = g'"' for a random Xi Z*. 

ReKeygen{xj , Xi): given user j's private key xj and user i's public key X^, generate the re-signature key 
Rij = xV^^ = g^*l^i that will be used to translate signature from i into signatures from j- 

Sign(l, m, .Ti): to sign a message m = m\...mn G {0,1}" at the first level, the signer picks r Z* at 
random and computes 

aW =(ao,al) = (/^-••F(m)^5'^) 
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Sign(2, m, ./;): to generate a second level signature on m = mi . . . m„ G {0, 1}", the signer chooses r,t Z* 
and computes 

(t(2) = (ao,ai,a2,a3) = (h'^^ ■ F{mY , g\ Xf, g*) (3) 

Re-Sign(l, m, (7^^\ XjjXj): on input of a message m G {0,1}", the re-signature key Rij = g^^/^i , a 
signature a^^^ = {(7o,ai) and public keys Xi,Xj, check the validity of a w.r.t signer i by testing if 

e{ao,g) = e{Xi,h)-e{F{m),ai) (4) 

If (T^^^ is a valid, it can be turned into a signature on behalf of j by choosing r', t ^Z* and computing 

= (/i*--i^(mr",/',X|,5*-'/-0 
where r" = tr + r'. If we set i = txi/xj, we observe that 

= {a'o,a[,a'„4) = FCm)-^" X*, /) (5) 

Verify(l, m, a^-^^ , Xj): the validity of a first level signature a'^^^ = (ai, 0-2) is checked by testing if relation (4) 
holds. 

Verify(2, m, cr^'^\Xi): a second level signature ct^^^ = (ctq, cri,a2, 0-3) is accepted for the public key Xj if the 
following conditions are true. 

e{c7o,g) = e{(j2,h) ■ e{F{m),a[) (6) 
e{cr2,g) = e{Xi,a3) (7) 

To the best of our knowledge, the above scheme is the first unidirectional PRS in the standard model and 
solves another problem left open in [5] where all constructions require the random oracle model. Like the 
scheme of section 4, this extension of Waters' signature [27] is scalable into a multi-hop PRS. 

5.2 The Multi-Hop Extension 

At levels i>2, algorithms Sign, Re-Sign and Verify are generalized as follows. 

Sign(^ -I- 1, m, Xi): to sign m G {0, 1}" at level i + user i picks r ^ Z*, {ti,. . . ,ti) ^ {Z*Y and outputs 
= (ao, . . . , a2i+i) G G^^+^ where 

o\ = 

Ok = g^iti-te+2-k for fc G {2, . . . , ^ -M} 
CTfc=5**'-^-i for fc G {£-h2,...,2^-M}. 

Re-Sign(£ -|- 1, m, a^^^^\Rij,Xi, Xj): on input of a message m G {0, 1}*, the re-signature key Rij = g^*/^i , 
a purported -I- 1)**^ level signature 

(7(^+1) = (O-Q,..., 0-2^+1) 

= (/j^iti-*€ .F(m)^.g'■,.g^■*l■■■*^g^■*l■••**-^...,,g^'*^5*^••• ,.g**) G 6^^+^ 

and public keys Xj, Xj, check the correctness of a^^"*"^) under X^. If valid, (t(^+^^ is translated for Xj by 
sampling r' ^ Z;, (ro, ri, . . . , r^) A (Z;)^+i and setting £7(^+2) = (ct^, . . . , a'^^^^) G 0^^+^ where 

forfcG{2,...,£+l} 



cr 



1+2 — 
.1 _ 7->ro 

^1 — „'^k-e-3 



K <^'k = for fc G {^ + 4, . . . , 2^ + 3}. 
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If we define to = roXi/xj, r" = ro ■ ■ ■ re + r' and ik = Vktk for A; = 1, . . . , we observe that 

o-(^+2) = (/i^itoti-t. . F(m)''", g^^*"*!-**-!, . . ., g'^' . . . 

Verify(^ + 1, m, cr(^+^\ Xj): a candidate signature a^^+^) = (ao, - . - ,<J2f+i) is verified by testing if the fol- 
lowing equalities hold: 

e(o-o,ff) = e{h,az) ■ e{F{m),ai) 
e{o-k,9) = e(afe+i,cr2£+3-fc) for k € {2,...,£} 
e{cre+i,g) = e{Xi,ae+2) 

5.3 Security 

Theorem 2. The scheme with L levels (and thus at most L — 1 hops) is a secure unidirectional PRS under 
the {L — l)-FlexDH and mCDH assumptions. 

Proof. The proof is very similar to the one of theorem 1 and replaces random oracle manipulations by the 
tricks of [10,27]. Wc prove the limited proxy and delegatee security properties imder the {L — l)-FlexDH 
assumption. The delegator security is demonstrated under the mCDH assumption. 

Limited proxy security. Wc consider an adversary Ai with advantage e. Wc describe an algorithm Bi solving 
a (X — l)-FlexDH instance {A = g°^,B = g'') with probability e/4:qs{n+l), where qg is the number of signing 
queries made by , within a comparable time. 

System parameters: The simulator Bi prepares common public parameters as follows. It first sets h = 
B = g^. The (n + l)-vector u = {u', ui, . . . , u„) is defined by choosing u' = h^ • g^ and Ui = /i*"* • g^* 
for i G {1, . . . , n} using random vectors (u/ , wi, .... A Z""*"-*^, (z', zi, . . . , z„) A 'Zp'^^ , where k ^ 
{0, . . . ,n} is randomly chosen and r = 2qs. For any message m = mi . . . m„ G {0, 1}", we have 

n 

F{m) = n' • = /i-^('")g^('") 

i=l 

for functions J : {0, 1}" ^ Z, K : {0, 1}" Zp respectively defined as J(m) = w' + Y^^=i WiUii — kt and 
K{m) = z' + X]r=i -^s in [27], Bi will be successful if J(m*) = for the message m* of the forgery 

stage whereas J(m) ^ for all messages m ^ m* queried for signature. Since 1J(.)1 < T{n + 1) <^ p, 
we have J(m*) — with non-negligible probability 0(l/r(n -|- 1)). The adversary Ai is challenged on 

parameters {g,h,u). 

Key generation: for user i G {l,...,Af}, Bi defines a public key as Xj = A^' = g"^', for a random 
Xi ^ Z*, which virtually defines user i's private key as axi. For pairs re-signature keys are chosen 

as Rij = g^^l^i = g<iXi/«-^j _ 

Signing queries: when a signature of signer i is queried for a message m, Bi fails if J(m) = mod p. 
Otherwise, following the technique of [10,27], it can construct a signature by picking r <^ Zp and 
computing . _ ^ . 

a = = [x'^ ■ F(m)^X^^ ■ g^j . 

which is returned to Ai. If we define f = r — [axi)/ J{m), u has the correct distribution as 

and (72 = 5'-("^.)/^(m) = gr_ 
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After polynomially many queries, Ai comes up with a message, that was never queried for signature for any 
signer, and index i* € {!,..., N} and a forgery 




which provides Bi with a valid {2L — l)-uple 




A completely similar analysis to [27] shows that J(m*) = with probability l/4gs(n + 1), which yields the 
bound on Bi's advantage. 

Delegatee security. A delegatee security adversary A2 also implies a breach in the (L — l)-FlexDH assumption. 
The simulator B2 is given (A = g°',B = g^) and uses a strategy that is completely analogous to the one of 
simulator Bi in the proof of limited proxy security. 

System parameters and public keys: B2 prepares public parameters exactly as in the proof of limited 
proxy security. The public key of the target user is defined as Xq = A = g°- . The attacker A2 must be 
provided with private keys for all the delegators of that user. For i = 1, . . . ,n, other public keys are 
therefore chosen as Xi = g^^ for randomly picked Xi A Z*. The adversary A2 then receives {g,h = 
B,u,Xo = g°-,xi, . . . , Xn} as well as re-signature keys Rij for i € {0, ... , N} and j € {1, . . . , N}. These 
are set as Roj = A}!^^ = g°-l^i and iJy = g^^l^i if i ^ 0. 

Signing queries: for all signers i ^ 0, A2 can generate signatures on her own. When a signature of the 
target signer is requested for a message m, Bi proceeds as B\ did when facing the limited proxy adversary 
A\. It fails if J(m) = modp and can answer the query otherwise. 

When A2 eventually outputs a forgery (ctq, . . . , at level L, B2 is successful if J(m*) = and extracts 

an admissible (2L — l)-uple as B\ did. 

Delegator security. A delegator security adversary A^ having advantage e after signing queries is finally 
shown to imply an algorithm S3 to solve a problem which is equivalent (under linear time reduction) to the 
mCDH problem with probability £/Aqs{n + 1). Given [g, A = g", A' = g^/°-, B = g''), this problem is to find 
out g"''. 

Public parameters and public key generation: Again, system parameters are prepared as in the proof 
of limited proxy security. Namely, B3 defines h = B = g^ and chooses u' , u\,...,Un so as to have F{m) = 
some functions J, K : {0, 1}" — > Zp where J cancels with non-negligible probability. The 
public key of the target delegator is set as Xq = A = g"" . For i — 1, . . . , n, remaining public keys are set as 
Xi = (/^' for a random xi ^ Z*. The adversary Az receives {g,h = B,u,Xo = g°-,Xi, . . . , This time, 
she is provided with all re-signature keys (including Roj and Rjo) and attempts to produce a first level 
forgery. For pairs such that i,j ^ 0, B3 sets Rij = g^^l^i . If i = 0, it defines i?oi = A^l^^ = g°'l^i . 
If j = (and thus i ^ 0), S3 calculates i?io = A'^'' = g^^l"- and hands {Rtj)t,j to ^3. 
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Signing queries: when ^3 asks for a signature from the target delegator for a message m, Bs fails if 
J(m) = mod p and can answer the query exactly as in the proof of limited proxy security otherwise. 

Eventually, ^3 produces a first level forgery cr'^^^* = {ai*,a2*) for a message m* that was never queried 
for signature. If J(m*) 7^ 0, S3 fails. Otherwise, given that {ai*,a2*) = {h°' ■ g^^'-"^ Kg^), ^3 finds out 

External Security. We consider an adversary Ai with advantage e. We describe an algorithm 64 solving a 
{L — l)-FlexDH instance {A = g'^,B = g'') with probability e/ (4iV((7s + grs)(»^ + 1)) within comparable time, 
where qg and g^s are is the number of signing and re-signing queries. 

System pEirameters: The simulator B4 prepares common public parameters as in the limited proxy security 
proof. In addition, it picks at random an integer i* G {!,..., N}. 

Public key generation: when A4 asks for the creation of user i G {1, . . . , N}, B4 responds 

— with a newly generated public key Xi = g'^', for a random Xi Z* if i ^ i* (s.t. Xi, user i's private 
key, is known to the simulator); 

— with Xi* = A if i = i* (which virtually defines user i's private key as a). 

Oracle queries: ^'s queries are tackled with as follows. 

• Signing queries: when a signature of signer i is queried for a message m, 

- B4 uses its knowledge of Xi to produce the signature if i ^ i*; 

- B4 uses the simulation from the limited proxy security proof if i = i* (and therefore fails if 

J(m) = mod p). 

• Re-signing queries: for such a query on input {m,a^^\i,j), B4 checks if cr*^^-' is a valid i*'^ level 
signature on m for some £ G {1, . . . , L — 1} with respect to the public key i. If yes, B4 produces a 
first level signature on m for user j (using the previous simulation strategy) , increases its level up to 
£ + 1 (for the same public key) using the re-signing algorithm (with re-signature key simply equal to 
g) and outputs the resulting {£ + 1)*"^ level signature. The simulation only fails if J(m) = mod p 
and j =i*. 

After polynomially many queries, A4 comes up with a message m*, an index j* G {1, . . . , N} and a forgery 
(t'^^' G G^^ at level L. Recall that m* cannot have been queried to signer j*. Again, B4 fails if J(m*) ^ 
mod p or j* ^ i*. Otherwise, if is valid, B4 produces a valid {L — l)-FlexDH-tuple as in the limited 

proxy security proof. A completely similar analysis to this proof ends up with the announced bound on B4's 
advantage. □ 

6 Conclusions and Open Problems 

We described the first multi-use unidirectional proxy re-signatures, which solves a problem left open in 2005. 
The random-oracle-based proposal also offers efficiency improvements over existing solutions at the first level. 
The other scheme additionally happens to be the first unidirectional PRS in the standard model. 

Two major open problems remain. First, it would be interesting to sec if miilti-level imidirectional PRS 
have efficient realizations under more classical intractability assumptions. A perhaps more challenging task 
would be to find out implementations of such primitives where the size of signatures and the verification cost 
grow sub- linearly with the number of translations. 
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A Generic hardness of ^-FlexDH in bilinear groups 



To provide more confidence in the ^-FlexDH assumption we prove a lower bound on the computational 

complexity of the ^-FlexDH problem for generic groups equipcd with bilinear maps. In [20], Kunz- Jacques 
and Pointcheval define a family of computational problems that enables to study variants of the CDH 
problem in the generic group model. Let A be an adversary in this model and fiXi , X/., Yi, . . . , Y() be 
a multivariate polynomial whose coefficients might depend on ^'s behaviour. For values of xi, . . . , Xk chosen 
by the simulator, and knowing their encodings, the goal of A is to compute the encodings of yi, . . . ,ye such 
that 

(p{xi, ...,xk,yi,...,ye) = 0. 

All elements manipulated by A are linear polynomials in xi,. . . ,Xk and some new random elements in- 
troduced through the group oracle. Let us denote Pi the polynomial corresponding to yi (it is a random 
variable), Kunz- Jacques and Pointcheval proved the following result. 

Theorem 3 ([20]). Let d = deg(<^) and be an upper bound for the probability 

Pr[(^(Xi, ...,Xk, Pi(Xi, . . .,Xk), Pi{Xi, . . .,Xk)) = 0] 

Then the probability that A wins after qc queries satisfies 

c ^ ^ ^ D ^ + A: + 2) d 

Succ(gG) < Pm + ^ + -. 

2p p 

The choice 4>{Xi,X2, Yi, . . . , ~ i^+i — X1X2Y1 . . .Y^ implies the generic hardness of the problem £- 
FlexDH in groups. The purpose of this section is to prove that Kunz- Jacques and Pointcheval result also 
holds in generic bilinear groups and therefore that the problem £-FlexDH is intractable in these groups. 

Theorem 4. Let d = deg{ip) and Pm be an upper hound for the probability 

Pr[<^(Xi, ...,Xk, Pi(Xi, . . .,Xk), . . . , Pi{Xi, . . .,Xk)) = 0] 

Then the probability that A wins after qc oracle queries to the group operations in G, Gt to the bilinear 
map e satisfies 

c- , N ^ n K'>(Lo + A- + 2) d 
SUCC < -Pm + — + -• 

p p 

Proof In the following / and It, denote the set {0, ... ,p — 1} and arc used to represent elements of G and 
Gt respectively. Following [20], in the generic bilinear group model, an adversary A has access to 

— an oracle 6 that, on input (a, b, r, r') x P, answers with the representation of ax + bx' in /, where 
r is the representation of x and r' the representation of x' . 

— an oracle 25t that, on input (a, 6, r, r') £ 1? x /|,, answers with the representation of ax + bx' in It, 
where r is the representation of x and r' the representation of x' . 

— an oracle <E that, on input (a, b, r, r') ^1? x P, answers with the representation of ax + bx' in It, where 
r is the representation of x and r' the representation of x' . 

The connection between representations and elements of Zp is managed by the simulator through two lists C 
and Ct of pairs {x, r) associating an element with its representation. A representation r in an oracle query 
input does not need to correspond to an element of Zp in C or Cq; if it does, the corresponding element is 
used, otherwise a random element x is drawn by the simulator in Zj, and bound to r, that is, {x, r) is added 
to C or Cg- The same rule applies for the answer to the query: if ax + bx' = x" with {x" ,r") in C or Cq, 
r" is answered. Otherwise, a random representation r", is chosen and {x",r") is added to C or jCq, and the 
answer to the oracle query is r" . Overall, each oracle query adds at most 3 pairs to £ or jCq- 
For our problem, initially we have 

£ = {(0,r2), {I, re), {xi,ri),..., {xk,rk)} and £t = 
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and A is given r^, rg, ri , . . . , rfe. ^'s goal is to output r'j^, . . . , corresponding to r/i, . . . , in Zp that, together 
with the Xi's, cancel (f. The last queries of A are assumed to be of the form 6(1, 0, r-, fe). A has won if 
(p{xi,...,Xk,yi,...,ye) = where (2/j,r9 e C. 

To prove the generic hardness of the problem, we consider a simulator 5" where random values in Zp are 
replaced by formal unknowns Xj. Represents of elements of G {resp. Gt) correspond to linear combinations 
{resp. quadratic polynomials) of these unknowns with coefficients in Zp. The simulation is similar to the 
one given in [20] and ^'s goal is to output r[,...,rf corresponding to linear polynomials Pi,..., Pi in 
Zp[Xi, . . . ,X . . .] that, together with the unknowns Xj's, cancel if. 

The difference between ^'s success probability in the two simulation occurs only if 5"s simulation, the 
representations of different polynomials (linear or quadratic) Pi and P2 collide in S"s simulation. The number 
of polynomials in C and Ct is upper-bounded by Sgc + A: + 2 and their degrees is at most two. Therefore, the 
difference appears with probability at most (3gG + fc+2)^/p. As in [20], the success criterion in 5"s simulation 
is stricter than in S"s simulation and as above the probability that A succeeds in S"s simulation but not in 
S"'s simulation is upper-bounded by d/p (since ip is of degree d and the Pj's are linear polynomial). □ 
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